Today, we present a sponsored podcast discussion on the changing needs for, and heightened value around, improved identity and access management (IAM).
We'll examine now how business trends are forcing organizations to
safely allow access to all kinds of applications and myriad resources
anytime, anywhere, and from any device.

So
join us now as we explore how new IDaaS offerings are helping companies
far better protect and secure their informational assets. Here to
share insights into this future of identity management is Paul Trulove, Vice President of Product Marketing at SailPoint Technologies in Austin, Texas. Welcome, Paul. [Disclosure: SailPoint is a sponsor of BriefingsDirect podcasts.]

Paul Trulove: Thanks, Dana. Glad to be here.

Gardner:
The word "control" comes up so often when I talk to people about
security and IT management issues, and companies seem to feel that they
are losing control, especially with such trends as BYOD. How do
companies regain that control, or do we need to think about this
differently. Is it no longer an issue of control?

Trulove:
The reality in today's market is that a certain level of control will
always be required. But as we look at the rapid adoption of new
corporate enterprise resources, things like cloud-based applications or
mobile devices where you could access corporate information anywhere in
the world at any time on any device, the reality is that we have to put a
base level of controls in place that allow organizations to protect the
most sensitive assets. But you have to also provide ready access to the
data, so that the organizations can move at the pace of what the
business is demanding today.

Gardner: The expectations of users has changed. When they can go sign up for a software-as-a-service (SaaS)
application or access cloud services, they're used to having more of
their own freedom. How is that something that we can balance, allow them
to get the best of their opportunity and their productivity benefits,
but at the same time, allow for the enterprise to be as low risk as
possible?

Trulove: That's the area that the organization
has to find the right balance for their particular business that meets
the internal demands, the external regulatory requirements, and really
meet the expectations of their customer base. While the productivity
aspect can't be ignored, taking a blind approach to allowing an
individual end-user to begin to migrate structured data out of something
like an SAP or other enterprise resource planning (ERP) systems, up to a personal Box.com account is something most organizations are just not going to allow.

Each
organization has to step back, redefine the different types of policies
that they're trying to put in place, and then put the right kind of
controls that mitigate risk in terms of inappropriate acts, access to
critical enterprise resources and data, but also allow the end user to
have a little bit more control and little bit more freedom to do things
that make them the most productive.

Uptake in SaaS

Gardner:
We've seen a significant uptake in SaaS, certainly at the number of
apps level, communications, and email, but it seems as if some of the
infrastructure services around IAM are lagging. Is there a maturity
issue here, or is it just a natural way that markets evolve? What's the
case in understanding why the applications have gone fast, but we're now
just embarking on IDaaS?

Trulove: We're seeing a
common trend in IT if you look back over time, where a lot of the
front-end business applications were the first to move to a new
paradigm. Things like ERP and service resource management (SRM)-type
applications have all migrated fairly quickly.

Over the last decade, we've really seen a lot of the sales management applications, like Salesforce and NetSuite come on as full force. Now, there are things like Workday
and even some of the work force management becoming very popular.
However, the infrastructure generally lagged for a variety of reasons.

In
the IAM space, this is a critical aspect of enterprise security and
risk management as it relates to guarding the critical assets of the
organization. Security practitioners are going to look at new technology
very thoroughly before they begin to move things like IAM out to a new
delivery paradigm such as SaaS.

The other thing is that
organizations right now are still fundamentally protecting internal
applications. So there's less of a need to move your infrastructure out
into the cloud until you begin to change the overall delivery paradigm
for your internal application.

As customers implement more and more of their software out in the cloud, that's a good time for them to begin to explore IDaaS.

What
we're seeing in the market, and definitely from a customer perspective,
is that as customers implement more and more of their software out in
the cloud, that's a good time for them to begin to explore IDaaS.

Look
at some of the statistics being thrown around. In some cases, we've
seen that 80 percent of new software purchases are being pushed to a
SaaS model. Those kinds of companies are much more likely to embrace
moving infrastructure to support that large cloud investment with fewer
applications to be managed back in the data center.

Gardner:
As you mentioned, SaaS has been around for 10 years, but the notion of
mobile-first applications now has picked up in just the last two or
three years. I have to imagine that's another accelerant to looking at
IAM differently when you get the devices.

We've talked a little bit about SaaS and IDaaS, coming on as a follow up, how does the mobile side of things impact this?

Trulove:
Mobile plays a huge part in organizations' looking at IDaaS, and the
reason is that you’re moving the device that's interacting with the
identity management service outside the bounds of the firewall and the
network. So, having a point of presence in the cloud gives you a very
easy way to generate all of the content out to the devices that are
being operated outside of the traditional bounds of the IT organization,
which was generally networked in to the PCs, laptops, etc that are on
the network itself.

Moving to IDaaS

Gardner:
I'd like to get into what hurdles organizations need to overcome to
move in to IDaaS, but let's define this a little better for folks that
might not be that familiar with it. How does SailPoint define IDaaS?
What are we really talking about?

Trulove:
SailPoint looks at IDaaS as a set of capabilities across compliance and
governance, access request and provisioning, password management, single sign-on (SSO),
and Web access management that allow for an organization to do
fundamentally the same types of business processes and activities that
they do with an internal IAM systems, but delivered from the cloud.

We
also believe that it's critical, when you talk about IDaaS to not only
talk about the cloud applications that are being managed by that
service, but as importantly, the internal applications behind the
firewall that still have to be part of that IAM program.

Gardner:
So, this is not just green field. You have to work with what's already
in place, and it has to work pretty much right the first time.

Trulove:
Yes, it does. We really caution organizations against looking at cloud
applications in a siloed manner from all the things that they're
traditionally managing in the data center. Bringing up a secondary IAM
system to only focus on your cloud apps, while leaving everything that
is legacy in place, is a very dangerous situation. You lose visibility,
transparency, and that global perspective that most organizations have
struggled to get with the current IAM approaches across all of those
areas that I talked about.

We see a little bit less of the data export concerns with companies here
in the US, but it's a much bigger concern for companies in Europe and
Asia in particular.

Gardner: So, we
recognize that these large trends are forcing a change, users want their
freedom, more mobile devices, more different services from different
places, and security being as important if not more than ever. What is
holding organizations back from moving towards IDaaS, given that it can
help accommodate this very complex set of requirements?

Trulove:
It can. The number one area, and it's really made up of several
different things, is the data security, data privacy, and data export
concerns. Obviously, the level at which each of those interplay with one
another, in terms of creating concern within a particular organization,
has a lot to do with where the company is physically located. So, we
see a little bit less of the data export concerns with companies here in
the US, but it's a much bigger concern for companies in Europe and Asia
in particular.

Data security and privacy are the two
that are very common and are probably at the top of every IT security
professional’s list of reasons why they're not looking at IDaaS.

Gardner:
It would seem that just three or four years ago, when we were talking
about the advent of cloud services, quite a few people thought that
cloud was less secure. But I’ve certainly been mindful of increased and
improved security as a result of cloud, particularly when the cloud
organization is much more comprehensive in how they view security.

They're
able to implement patches with regularity. In fact, many of them have
just better processes than individual enterprises ever could. So, is
that the case here as well? Are we dealing with perceptions? Is there a
case to be made for IDaaS being, in fact, a much better solution
overall?

IAM as secure

Trulove:
Much like organizations have come to recognize the other categories of
SaaS as being secure, the same thing is happening within the context of
IAM. Even a lot of the cloud storage services, like Box.com, are now
signing up large organizations that have significant data security and
privacy concerns. But, they're able to do that in a way and provide the
service in a way where that assurance is in place that they have control
over the environment.

And so, I think the same thing
will happen with identity, and it's one of the areas where SailPoint is
very focused on delivering capabilities and assurances to the customers
that are looking at IDaaS, so that they feel comfortable putting the
kinds of information and operating the different types of IAM
components, so that they get over that fear of the unknown.

Gardner:
Before we get into some of the details about how you’re approaching
this, and what your services can provide, I'm curious about what
companies can expect to get when they pursue the full cloud and services
panoply of possibilities across apps, data, IT management, and other
services. What are some of the business drivers? What do you get if you
do this right and you make the leap to the services’ strata?

Trulove:
One of the biggest benefits of moving from a traditional IAM approach
to something that is delivered as IDaaS is the rapid time to value. It's
also one of the biggest changes that the organization has to be
prepared to make, much like they would have as they move from a Siebel- to a Salesforce-type model back in the day.

IAM
delivered as a service needs to be much more about configuration,
versus that customized solution where you attempt to map the product and
technology directly back to existing business processes.

The benefit that they get out of that is a much lower total cost of ownership (TCO), especially around the deployment aspects of IDaaS.

One
of the biggest changes from a business perspective is that the business
has to be ready to make investments in business process management, and
the changes that go along with that, so that they can accommodate the
reality of something that's being delivered as a service, versus
completely tailoring a solution to every aspect of their business.

Gardner:
It's interesting that you mentioned business process and business
process management. It seems to me that by elevating to the cloud for a
number of services and then having the access and management controls
follow that path, you’re able to get a great deal of flexibility and
agility in how you define who it is you’re working with, for how long,
for when.

It seems to me that you can use policies and
create rules that can be extended far beyond your organization’s
boundaries, defining workgroups, defining access to assets, creating and
spinning up virtualized companies, and then shutting them down when you
need. So, is there a new level of consideration about a boundaryless
organization here as well?

Trulove: There is.
One of the things that is going to be very interesting is the
opportunity to essentially bring up multiple IDaaS environments for
different constituents. As an organization, I may have two or three
fundamentally distinct user bases for my IAM services.

Separate systems

I
may have an internal population that is made up of employees, and
contractors that essentially work for the organization that need access
to a certain set of systems. So I may bring up a particular environment
to manage those employees that have specific policies and workflows and
controls. Then, I may bring up a separate system that allows for
business partners or individual customers to have access to very
different environments within the context of either cloud or on-prem IT
resources.

The advantage is that I can deploy these
services uniquely across those. I can vary the services that are
deployed. Maybe I provide only SSO and basic provisioning services for
my external user populations. But for those internal employees, I not
only do that, but I add access certifications, and segregation of duties (SOD)
policy management. I need to have much better controls over my internal
accounts, because they really do guard the keys to the kingdom in terms
of data and application access.

Gardner: We began this conversation talking about balance. It certainly seems to
me that that level of ability, agility, and defining new types of
business benefits far outweighs some of the issues around risk and
security that organizations are bound to have to solve one way or the
other. So, it strikes me as a very compelling and interesting set of
benefits to pursue.

Let's look now, Paul, at your products. You've delivered the SailPoint IdentityNow suite.
You've got a series of capabilities, and there are more to come. As you
were defining and building out this set of services, what were some of
the major requirements that you had, that you needed to check off before
you brought this to market?

Trulove: The number
one capability that we really talk to a lot of customers about is an
integrated set of IAM services that span everything from that compliance
and governance to access request provisioning and password management
all the way to access management and SSO.

They can get value out of it, not necessarily on day one, but within weeks, as opposed to months.

One
of the things that we found as a critical driver for the success of
these types of initiatives within organizations is that they don't
become siloed, and that as you implement a single service, you get to
take advantage of a lot of the work that you've done as you bring on the
second, third, or fourth services.

The other big
thing is that it needs to be ready immediately. Unlike a traditional IAM
solution, where you might have deployment environments to buy and
implement software to purchase and deploy and configure, customers
really expect IDaaS to be ready for them to start implementing the day
that they buy.

It's a quick time-to-value, where the
organization deploying it can start immediately. They can get value out
of it, not necessarily on day one, but within weeks, as opposed to
months. Those things were very critical in deploying the service.

The
third thing is that it is ready for enterprise-level requirements. It
needs to meet the use cases that a large enterprise would have across
those different capabilities, but also as important, that it meets data
security, privacy, and export concerns that a large enterprise would
have relative to beginning to move infrastructure out to the cloud.

Even
as a cloud service, it needs a very secure way to get back into the
enterprise and still manage the on-prem resources that aren’t going away
anytime soon. n one hand we would talk to customers about managing
things like Google Apps, Salesforce and Workday. In the same breath,
they also talk about still needing to manage the mainframe and the on-premises enterprise ERP system that they have in place.

So,
being able to span both of those environments to provide that secure
connectivity from the cloud back into the enterprise apps was really a
key design consideration for us as we brought this product to market.

Hybrid model

Gardner: It sounds if it's a hybrid model from the get-go. We hear about public cloud, private cloud, and then hybrid. It sounds as if hybrid is really a starting point and an end point for you right away.

Trulove:
It's hybrid only in that it's designed to manage both cloud and on-prem
applications. The service itself all runs in the cloud. All of the
functionality, the data repositories, all of those things are 100
percent deployed as a service within the cloud. The hybrid nature of it
is more around the application that it's designed to manage.

Gardner:
You support a hybrid environment, but I see, given what you've just
said, that means that all the stock in trade and benefits as a service
offering are there, no hardware or software, going from a CAPEX to OPEX model, and probably far lower cost over time were all built in.

Trulove:
Exactly. The deployment model is very much that classic SaaS, a multitenant application where we basically run a single version of the
service across all of the different customers that are utilizing it.

Obviously,
we've put a lot of time, energy, and focus on data protection, so that
everybody’s data is protected uniquely for their organization. But we
get the benefits of that SaaS deployment model where we can push a
single version of the application out for everybody to use when we add a
new service or we add new capabilities to existing services. We take
care of upright processes and really give the customers that are
subscribing to the services the option of when and how they want to turn
new things on.

We've put a lot of time, energy, and focus on data protection, so that
everybody’s data is protected uniquely for their organization.

Gardner:
Let's just take a moment and look at the SailPoint IdentityNow suite.
Tell me what it consists of, and how this provides a benefit and on-ramp
to a better way of doing IT as a service and business as a service.

Trulove:
The IdentityNow suite is made up of multiple individual services that
can be deployed distinctly from one another, but all leverage a common
back-end governance foundation and common data repository.

The
first service is SSO and it very much empowers users to sign on to
cloud, mobile, and web applications from a single application platform.
It provides central visibility for end users into all the different
application environments that they maybe interacting with on a daily
basis, both from a launch-pad type of an environment, where I can go to a
single dashboard and sign on to any application that I'm authorized to
use.

Or I may be using back-end Integrated Windows Authentication,
where as soon as I sign into my desktop at work in the morning, I'm
automatically signed into all my applications as I used them during the
day, and I don’t have to do anything else.

The second
service is around password management. This is enabling that end-user
self-service capability. When end users need to change their password
or, more commonly, reset them because they’ve forgotten them over a long
weekend, they don’t have to call the help desk.

Strong authentication

They
can go through a process of authenticating through challenge questions
or other mechanisms and then gain access to reset that password and even
use some strong authentication mechanisms like one-time password tokens
that are going to be issued, allow the user to get in and then, change
that password to something that they will use on an ongoing basis.

The
third service is around access certifications, and this automates that
process of allowing organizations to put in place controls through which
managers or other users within the organization are reviewing who has
access to what on a regular basis. It's a very business-driven process
today, where an application owner or business manager is going to go in,
look at the series of accounts and entitlements that a user has, and
fundamentally make a decision whether that access is correct at a point
in time.

One of the key things that we're providing as
part of the access certification service is the ability to automatically
revoke those application accounts that are no longer required. So
there's a direct tie into the provisioning capabilities of being able to
say, Paul doesn’t need access to this particular active directory group
or this particular capability within the ERP system. I'm going to
revoke it. Then, the system will automatically connect to that
application and terminate that account or disable that account, so the
user no longer has access.

The final two services are
around access request and provisioning and advanced policy and
analytics. On the access request and provisioning side, this is all
about streamlining, how users get access. It can be the automated
birth-right provisioning of user accounts based on a new employee or
contractor joining new organization, reconciling when a user moves to a
new role, what they should or should not have, or terminating access on
the back end when a user leaves the organization.

What most customers see, as they begin to deploy IDaaS is the ability to get value very quickly.

All
of those capabilities are provided in an automated provisioning model.
Then we have that self-service access request, where a user can come in
on an ad-hoc basis and say, "I'm starting a new project on Monday and I
need some access to support that. I'm going to go in, search for that
access. I'm going to request it." Then, it can go through a flexible
approval model before it actually gets provisioned out into the
infrastructure.

The final service around advanced
policy and analytics is a set of deeper capabilities around identifying
where risks lie within the organization, where people might have
inappropriate access around a segregation of duty violation.

It's
putting an extra level of control in place, both of a detective nature,
in terms of what the actual environment is and which accounts that may
conflict that people already have. More importantly, it's putting
preventive controls in place, so that you can attach that to an access
request or provisioning event and determine whether a policy violation
exists before a provisioning action is actually taken.

Gardner:
You've delivered quite a bit in terms of this suite's offering this
year. Before we hear some more about some of the roadmap and future
capabilities, what are your customers finding now that they are gaining
as a result of moving to IDaaS as well, as the opportunity for specific
services within the suite? What do you get when you do this right?

Trulove:
What most customers see, as they begin to deploy IDaaS is the ability
to get value very quickly. Most of our customers are starting with a
single service and they are using that as a launching pad into a broader
deployment over time.

So you could take SSO as a
distinct project. We have customers that are implementing that SSO
capability to get rapid time to value that is very distinct and very
visible to the business and the end users within their organization.

Password management

Once
they have that deployed and up and running, they're leveraging that to
go back in and add something like password management or access
certification or any combination thereof.

We’re not
stipulating how a customer starts. We're giving them a lot of
flexibility to start with very small distinct projects, get the system
up and running quickly, show demonstrable value to the business, and
then continue to build out over time both the breadth of capabilities
that they are using but also the depth of functionality within each
capability.

Gardner: Do you have any instances,
Paul, where folks are saying, "We wanted to go mobile, but we're being
held back. Now that we've taken a plunge, this has really opened up a
whole new way for us to deliver data and applications to different
devices and mobile, whether it’s the campus setting or road warrior
setting." Any thoughts about how this is, in particular, aiding and
abetting mobile.

Trulove: Mobile is driving a
significant increase in why customers are looking at IDaaS. The main
reason is that mobile devices operate outside of the corporate network
in most cases. If you're on a smartphone and you are on a 3G, 4G, LTE
type network, you have to have a very secure way to get back into those
enterprise resources to perform particular operations or access certain
kinds of data.

One of the benefits that an IDaaS
service gives you is a point of presence in cloud that allows the mobile
devices to have something that is very accessible from wherever they
are. Then, there is a direct and very secure connection back into those
on-prem enterprise resources as well as out to the other cloud
applications that you are managing.

The other big thing we're seeing in addition to mobile devices is just the adoption of cloud applications.

The
reality in a lot of cases is that, as organizations add those BYOD type
policies and the number of mobile devices that are trying to access
corporate data increase significantly, providing an IAM infrastructure
that is delivered from the cloud is a very convenient way to help bring a
lot of those mobile devices under control across your compliance,
governance, provisioning, and access request type activities.

The
other big thing we're seeing in addition to mobile devices is just the
adoption of cloud applications. As organizations go out and acquire
multiple cloud applications, having a point of presence to manage those
in the cloud makes a big difference.

In fact, we've
seen several deployment projects of something like Workday actually
gated by needing to put in the identity infrastructure before the
business was going to allow their end users to begin to use that
service. So the combination of both mobile and cloud adoption are
driving a renewed focus on IDaaS.

Gardner: I
know you can't actually pre-announce, and I am not asking you to, but as
we consider what you can now do with these capabilities, perhaps you
can paint a little bit of a vision for us as to where you think your
offerings, and therefore the market and the opportunity for improvement
in the user organizations, is headed.

Trulove:
If you look at the road map that we have for the IdentityNow product,
the first three services are available today, and that’s SSO, password
management, and access certification. Those are the key services that
we're seeing businesses drive into the cloud as early adopters. Behind
that, we'll be deploying the access request and provisioning service and
the advanced policy and analytic services in the first half of 2014.

Continued maturation

Beyond
that, what we're really looking at is continued maturation of the
individual services to address a lot of the emerging requirements that
we're seeing from customers, not only across the cloud and mobile
application environments, but as importantly as they begin to deploy the
cloud services and link back to their on-prem identity and access
management infrastructure, as well as the applications that they are
continuing to run and manage from the data center.

Gardner:
So, more inclusive, and therefore more powerful, in terms of the
agility, when you can consider all the different aspects of what falls
under the umbrella of IAM.

Trulove: We're also
looking at new and innovative ways to reduce the deployment timeframes,
by building a lot of capabilities that are defined out of the box. These
are things like business processes, where there will be catalog of the
best practices that we see a majority of customers implement. That has
become a drop-down for an admin to go in and pick, as they are
configuring the application.

We're also looking at new and innovative ways to reduce the deployment
timeframes, by building a lot of capabilities that are defined out of
the box.

We'll be investing very heavily in areas
like that, where we can take the learning as we deploy and build that
back in as a set of best practices as a default to reduce the time
required to set up the application and get it deployed in a particular
environment.

Gardner: Well, great. I'm afraid
we'll have to leave it there. You've been listening to a sponsored
BriefingsDirect podcast discussion on the changing needs for and
heightened value around improved IAM, and we have seen how explosive
expected growth and change is forcing a move to more a pervasive use of
identity and access management as a service or IDaaS.

And,
of course, we've learned more about SailPoint Technologies and how
they're delivering the means for organizations to safely allow access to
all kinds of applications and resources anytime anywhere and from any
device.

With that, I'd like to thank our guest, Paul
Trulove, Vice President of Product Marketing at SailPoint Technologies.
Thanks, Paul.

Trulove: Thank you, Dana. I appreciate the time.

Gardner:
This is Dana Gardner, Principal Analyst at Interarbor Solutions. A big
thank you also to our audience for joining us, and a reminder to come
back and join us again next time.